IASME Cyber Assurance Explained for UK SMEs

What Is IASME Cyber Assurance?

Within the UK cybersecurity certification landscape, IASME Cyber Assurance occupies a distinctive position. Developed by IASME (Information Assurance for Small and Medium Enterprises), it is a comprehensive cybersecurity standard specifically designed for SMEs that goes significantly beyond the purely technical focus of Cyber Essentials. IASME Cyber Assurance — sometimes referred to as the IASME Governance standard — covers 149 controls across five domains: governance and risk management; information security policies; information security management; asset management; and technical security controls.

What makes IASME Cyber Assurance particularly relevant is its dual focus. It covers not just whether the right technical controls are in place, but whether the organisation approaches security in a structured, managed, and governed way. It also embeds GDPR data protection controls within its framework, making it a single certification that addresses both cybersecurity and data protection obligations simultaneously.

The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months (DSIT 2025). Many of these breaches occurred not because of a single technical failure, but because of governance gaps — the absence of policies, risk assessments, and structured security management that IASME Cyber Assurance is specifically designed to address.

How IASME Relates to Cyber Essentials

IASME is the organisation that manages the Cyber Essentials scheme under licence from the NCSC. This relationship is important to understand: IASME is both the operator of the UK's most widely adopted cybersecurity certification (Cyber Essentials, with 55,995 certifications in 2025 according to the NCSC) and the creator of its own broader standard.

Cyber Essentials focuses on five specific technical controls — firewalls, secure configuration, access control, malware protection, and patch management. These controls defend against the most common commodity cyber attacks and are achievable for businesses of any size. However, Cyber Essentials does not address security governance, risk management, security policies, business continuity, or data protection compliance.

IASME Cyber Assurance includes all five Cyber Essentials controls and builds upon them with governance, policy, risk management, and GDPR requirements. A business could hold Cyber Essentials certification — demonstrating that the right technical controls are in place — whilst having no written security policies, no formal risk assessment process, no business continuity plan, and no documented approach to data protection. IASME Cyber Assurance requires all of these elements, providing customers, partners, and regulators with significantly greater confidence in the organisation's overall security maturity.

Achieving IASME Cyber Assurance also satisfies the Cyber Essentials requirements, meaning you do not need to pursue both certifications separately.

The IASME Cyber Assurance Standard: What It Covers

Governance and Risk Management

The standard requires organisations to have a defined approach to identifying, assessing, and managing cybersecurity risks. This includes conducting regular risk assessments, maintaining a risk register, and ensuring that security decisions are made based on an understanding of the threats and vulnerabilities specific to your business. Only 14% of UK businesses have a formal incident response plan (DSIT 2025) — IASME Cyber Assurance requires documented incident response procedures as part of its governance framework.

Information Security Policies

Written security policies must be in place, communicated to staff, and reviewed regularly. These typically include an overarching information security policy, acceptable use policies, access control policies, and data handling procedures. The standard requires evidence that policies are not just documented but actively followed and enforced.

Information Security Management

The organisation must demonstrate that security is actively managed — not treated as a one-off project but as an ongoing responsibility. This includes assigning security responsibilities, conducting regular reviews of security effectiveness, and maintaining awareness of changes in the threat landscape that might affect the organisation's risk profile.

Asset Management

A current inventory of all information assets — devices, software, data stores, cloud services — must be maintained. You cannot protect what you do not know about, and asset management is fundamental to effective security governance. The standard requires that assets are classified based on their sensitivity and that appropriate controls are applied based on classification.

Technical Security Controls

The five Cyber Essentials technical controls are included within IASME Cyber Assurance, ensuring that the baseline technical protections are in place. Additionally, the standard covers areas such as encryption, backup and recovery, and monitoring that go beyond the Cyber Essentials scope. With 85% of breaches involving phishing (DSIT 2025), the technical controls section addresses email security, access management, and endpoint protection alongside the core Cyber Essentials requirements.

IASME Cyber Assurance vs ISO 27001

ISO 27001 is the international information security management standard and the gold standard for demonstrating security maturity globally. It is comprehensive, highly credible, and widely recognised — but it is also complex and expensive to achieve and maintain. The certification process involves extensive documentation, internal audits, management reviews, and regular surveillance audits by accredited certification bodies. For many SMEs, ISO 27001 is disproportionately demanding relative to their size, resources, and risk profile.

IASME Cyber Assurance provides approximately 70% of ISO 27001 coverage, scoped and priced appropriately for SMEs. The assessment process is more proportionate, the documentation requirements are less onerous, and the cost of certification is significantly lower. The average cost of a data breach for UK organisations was £3.4 million (IBM 2024) — IASME Cyber Assurance provides a cost-effective way to demonstrate that you have structured security management in place to reduce this risk.

For businesses that plan to pursue ISO 27001 in the future, IASME Cyber Assurance provides an excellent preparatory framework. The policies, governance structures, risk management processes, and documentation practices required for IASME Cyber Assurance form the foundation that ISO 27001 builds upon, avoiding the need to start from scratch when you are ready to progress.

The Assessment Process

IASME Cyber Assurance is assessed via an online questionnaire reviewed by an IASME-approved assessor. The questionnaire covers all 149 controls across the five domains, and responses must be supported by evidence — policies, procedures, records of staff training, risk assessments, asset inventories, and technical configuration documentation. The assessor reviews your responses and evidence, identifies any gaps, and works with you to address them before certification is awarded.

An independently verified version of IASME Cyber Assurance is also available, providing a higher level of assurance. In the verified assessment, the assessor conducts a more detailed review of evidence and may interview staff, observe processes, or review systems directly. This option is appropriate for businesses with more demanding customer or regulatory requirements, or those seeking the strongest possible evidence of security maturity.

The assessment fee for most SMEs is in the range of £500 to £1,500 depending on organisation size and the level of assessor involvement. This is the certification fee alone — the cost of implementing missing controls, developing required policies, and preparing evidence is additional and depends on your starting position.

Benefits of IASME Cyber Assurance

• Demonstrates security governance maturity beyond technical controls alone — giving clients, partners, and regulators greater confidence
• Includes Cyber Essentials within its framework — achieving a single certification that covers both requirements
• Embeds GDPR data protection controls — addressing both security and compliance in one certification
• Provides a structured pathway toward ISO 27001 — building the governance foundation without the full ISO 27001 cost and complexity
• NCSC-recognised — IASME's role as the Cyber Essentials delivery partner lends credibility to the wider IASME Cyber Assurance standard
• Annual renewal builds on existing documentation — each year's renewal is less burdensome as the governance framework matures

Preparing for IASME Cyber Assurance

AMVIA recommends allowing eight to twelve weeks for businesses starting from scratch. The preparation involves implementing any missing technical controls (aligned with Cyber Essentials requirements), developing required policies and procedures, conducting a formal risk assessment, building an asset inventory, documenting staff training records, and gathering evidence to support questionnaire responses. AMVIA's readiness assessment identifies exactly where your current position stands and what needs to be addressed before the formal assessment.

How AMVIA Supports IASME Certification

AMVIA supports UK businesses through IASME Cyber Assurance as part of its managed cybersecurity service. AMVIA implements the technical controls required, assists with policy development and risk assessment documentation, and guides businesses through the evidencing and questionnaire process. For businesses pursuing IASME Cyber Assurance as a stepping stone toward ISO 27001, AMVIA's approach builds the governance foundation systematically, ensuring that the investment in IASME Cyber Assurance directly supports future ISO 27001 certification rather than requiring parallel work streams.